SentinelOne Logs
Connecting SentinelOne Cloud Funnel logs to your Panther Console
Last updated
Connecting SentinelOne Cloud Funnel logs to your Panther Console
Last updated
Panther supports ingesting the following log types from SentinelOne:
Activity logs
SentinelOne Activity logs capture a multitude of events that occur in your network, including threat management events like Custom Rules - New Alert and User Marked Application As Threat, as well as administrative operations like Agent Request Uninstall and User 2FA Modified.
Panther pulls Activity logs from the /web/api/v2.1/activities endpoint in the SentinelOne API. This /activities endpoint is available on all paid SentinelOne plans.
To ingest these logs, follow the instructions in How to onboard SentinelOne API Activity logs to Panther, below.
Deep Visibility 2.0 logs
Deep Visibility logs capture SentinelOne EDR and XDR telemetry data.
SentinelOne Cloud Funnel is an enhanced XDR data streaming service that forwards logs to a cloud storage location. Panther pulls Deep Visibility logs from this cloud storage location.
To ingest these logs, follow the instructions in How to onboard SentinelOne Cloud Funnel Deep Visibility logs to Panther, below.
The instructions below apply to SentinelOne API Activity logs. For instructions on how to onboard SentinelOne Cloud Funnel logs, see the next section: How to onboard SentinelOne Deep Visibility logs to Panther.
You will need an API Token from a Service User that has the Viewer role in your SentinelOne account. If you already have an API Token from a Service User, you may skip this step.
In the left-hand navigation bar of your SentinelOne Dashboard, click Settings.
At the top of the Settings page, click the Users tab.
On the left side of the Users page, click Service Users.
Click the Actions dropdown, then click Create New Service User.
On the Create New Service User page, enter a name and a description, choose an expiration date, then click Next.
On the "Select Scope of Access" page, configure the following:
Access Level: Account
Account selected: Ensure you have selected the correct account and that the role is set to Viewer
Click Create User.
Copy the API Token and store it in a secure location, as you will need to provide to Panther in the next part of the log source onboarding process.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “SentinelOne API,” then click its tile.
In the slide-out panel, click Start Setup.
Configure the SentinelOne API source:
Name: Enter a descriptive name for the source, e.g., SentinelOne API.
SentinelOne API Organization: Enter the subdomain of your SentinelOne account. To find this value, log in to your SentinelOne Dashboard and copy the subdomain from the URL.
For example, if your dashboard URL is https://example-domain.sentinelone.net/dashboard, your subdomain would be example-domain.
API Token: Enter the token of your Service User that you copied in the previous steps of this documentation.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
You have created a cloud storage entity.
If you are using AWS S3, configure it according to the SentinelOne documentation found at [SentinelOne Domain]/docs/en/how-to-configure-your-amazon-s3-bucket.html.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “SentinelOne Cloud Funnel 2.0,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the AWS S3 Bucket option.
In the slide-out panel, click Start Setup.
Follow Panther’s documentation for configuring AWS S3 as a Data Transport.
Follow the SentinelOne documentation on how to enable Cloud Funnel streaming to your cloud storage location, found at [SentinelOne Domain]/docs/en/how-to-enable-cloud-funnel-streaming.html#how-to-enable-cloud-funnel-streaming.
Activity events from the SentinelOne API.
schema: SentinelOne.Activity
parser:
native:
name: SentinelOne.Activity
description: Get the activities, and their data, that match the filters. We recommend that you set some values for the filters.
referenceURL: https://usea1-partners.sentinelone.net/api-doc/api-details?category=activities&api=get-activities
fields:
- name: accountId
description: Account id
type: string
- name: accountName
description: Account Name
type: string
- name: activityType
required: true
description: Activity Type
type: int
- name: activityUuid
description: Activity UUID
type: string
- name: agentId
description: Related Agent Id
type: string
- name: agentUpdatedVersion
description: Agents updated version
type: string
- name: comments
description: Comments
type: string
- name: createdAt
description: Activity creation time (UTC)
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: data
description: Event specific data. It can have following possible fields accountid, accountname, action, actoralternateid, agentipv4, alertid, alertprocessname, alertscounter, application, applicationtype, attr, bundlemessage, byuser, changedkeys, commandbatchuuid, commandid, computername, confidencelevel, createdat, createdbyusername, current, datasourcename, deactivationperiodindays, description, detectedat, direction, disabledlevel, dnsrequest, dnsresponse, downloadurl, dstip, dstport, dveventid, dveventtype, email, enabledreason, error, escapedmaliciousprocessarguments, eventcategory, eventdetails, eventexternalid, eventtime, exclusiontype, expiration, expirationmessage, expirydatestr, expirytime, externalip, externalip, externalthreatvalue, filecontenthash, filedisplayname, filename, filepath, fullscopedetails, fullscopedetailspath, group, groupid, groupname, grouptype, indicatorcategory, indicatordescription, indicatorname, initiatedbyname, ipaddress, k8sclustername, k8scontainerid, k8scontainerimage, k8scontainerlabels, k8scontainername, k8scontrollerkind, k8scontrollerlabels, k8scontrollername, k8snamespace, k8snamespacelabels, k8snode, k8spod, k8spodlabels, key, licensesdescription, localhost, localhosttype, localports, localporttype, locationnames, loginaccountdomain, loginaccountsid, loginisadministratorequivalent, loginissuccessful, loginsusername, logintype, majorversion, minorversion, modulemessage, modulepath, modulesha1, namechange, namemessage, neteventdirection, networkquarantine, newincidentstatus, newincidentstatustitle, newstatus, newvalue, noteaction, notedetails, oldaccountname, olddescription, oldincidentstatus, oldincidentstatustitle, oldkey, oldrulename, oldsitename, oldstatus, oldvalue, optionalgroups, order, origagentmachinetype, origagentmachinetype, origagentname, origagentname, origagentosfamily, origagentosfamily, origagentosname, origagentosname, origagentosrevision, origagentosrevision, origagentsiteid, origagentuuid, origagentuuid, origagentversion, origagentversion, originalstatus, osarch, osfamily, ostypes, packageid, physical, platformtype, policy, policyname, previous, protocol, reason, recoveryemail, registrykeypath, registryoldvalue, registryoldvaluetype, registrypath, registryvalue, remotehost, remotehosttype, remoteports, remoteporttype, reportlog, reportmgmt, role, rolename, rulecreationtime, ruledescription, ruleexpirationmode, ruleid, rulename, rulequerydetails, rulequerytype, rulescopeid, rulescopelevel, ruleseverity, scopeid, scopelevel, scopelevelname, scopename, setting, settingmessage, severity, siteexpiration, siteid, sitename, source, sourcename, sourceparentprocesscommandline, sourceparentprocessintegritylevel, sourceparentprocesskey, sourceparentprocessmd5, sourceparentprocessname, sourceparentprocesspath, sourceparentprocesspid, sourceparentprocesssha1, sourceparentprocesssha256, sourceparentprocesssigneridentity, sourceparentprocessstarttime, sourceparentprocessstoryline, sourceparentprocesssubsystem, sourceparentprocessusername, sourceprocesscommandline, sourceprocessfilehashmd5, sourceprocessfilehashsha1, sourceprocessfilehashsha256, sourceprocessfilepath, sourceprocessfilesigneridentity, sourceprocessintegritylevel, sourceprocesskey, sourceprocesskey, sourceprocessmd5, sourceprocessname, sourceprocesspid, sourceprocesssha1, sourceprocesssha256, sourceprocessstarttime, sourceprocessstoryline, sourceprocesssubsystem, sourceprocessusername, srcip, srcmachineip, srcport, status, storyline, system, systemuser, tagid, tagnames, tags, tgtfilecreatedat, tgtfilehashsha1, tgtfilehashsha256, tgtfileid, tgtfileissigned, tgtfilemodifiedat, tgtfileoldpath, tgtfilepath, tgtproccmdline, tgtprocessstarttime, tgtprocimagepath, tgtprocintegritylevel, tgtprocname, tgtprocpid, tgtprocsignedstatus, tgtprocstorylineid, tgtprocuid, threatalreadyexists, threatclassification, threatclassificationsource, tiindicatorcomparisonmethod, tiindicatorsource, tiindicatortype, tiindicatorvalue, treatasthreat, type, updatedescriptionmessage, updatenameanddescriptionmessage, updatenamemessage, uploadedfilename, userid, username, userscope, uuid, value, version
type: json
- name: description
description: Event description
type: string
- name: groupId
description: Related group id
type: string
- name: groupName
description: Related group name
type: string
- name: hash
description: Threat file hash
type: string
- name: id
required: true
description: Activity id
type: string
indicators:
- trace_id
- name: osFamily
description: Agent's OS type
type: string
- name: primaryDescription
description: Primary activity description
type: string
- name: secondaryDescription
description: Secondary activity description
type: string
- name: siteId
description: Related site id
type: string
- name: siteName
description: Related site name
type: string
- name: threatId
description: Related threat id
type: string
- name: updatedAt
description: Activity last updated time (UTC)
type: timestamp
timeFormats:
- rfc3339
- name: userId
description: User who invoked the activity
type: stringDeep Visibility 2.0 events from the SentinelOne services.
schema: SentinelOne.DeepVisibilityV2
description: Deep Visibility events from the SentinelOne Cloud Funnel 2.0 service
referenceURL: https://support.sentinelone.com/hc/en-us/articles/4409020727575
fields:
- name: timestamp
description: Timestamp field
type: timestamp
timeFormats:
- rfc3339
- name: dataSource.category
description: DataSourceCategory field
type: string
- name: dataSource.name
description: DataSourceName field
type: string
- name: endpoint.name
description: EndpointName field
type: string
- name: endpoint.os
description: EndpointOs field
type: string
- name: endpoint.type
description: EndpointType field
type: string
- name: agent.uuid
description: AgentUuid field
type: string
- name: agent.version
description: AgentVersion field
type: string
- name: site.name
description: SiteName field
type: string
- name: site.id
description: SiteId field
type: string
- name: event.category
description: EventCategory field
type: string
- name: event.type
description: EventType field
type: string
- name: event.time
required: true
description: EventTime field
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: event.id
description: EventId field
type: string
- name: event.repetitionCount
description: EventRepetitionCount field
type: bigint
- name: src.process.name
description: SrcProcessName field
type: string
- name: src.process.storyline.id
description: SrcProcessStorylineId field
type: string
- name: src.process.cmdline
description: SrcProcessCmdline field
type: string
- name: src.process.user
description: SrcProcessUser field
type: string
- name: src.process.startTime
description: SrcProcessStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: src.process.image.path
description: SrcProcessImagePath field
type: string
- name: src.process.image.extension
description: SrcProcessImageExtension field
type: string
- name: src.process.image.size
description: SrcProcessImageSize field
type: bigint
- name: src.process.userSid
description: SrcProcessUserSid field
type: string
- name: src.process.pid
description: SrcProcessPid field
type: bigint
- name: src.process.displayName
description: SrcProcessDisplayName field
type: string
- name: src.process.uid
description: SrcProcessUid field
type: string
- name: src.process.image.binaryIsExecutable
description: SrcProcessImageBinaryIsExecutable field
type: boolean
- name: src.process.integrityLevel
description: SrcProcessIntegrityLevel field
type: string
- name: src.process.signedStatus
description: SrcProcessSignedStatus field
type: string
- name: src.process.publisher
description: SrcProcessPublisher field
type: string
- name: src.process.verifiedStatus
description: SrcProcessVerifiedStatus field
type: string
- name: src.process.reasonSignatureInvalid
description: SrcProcessReasonSignatureInvalid field
type: string
- name: src.process.image.sha1
description: SrcProcessImageSha1 field
type: string
indicators:
- sha1
- name: src.process.image.md5
description: SrcProcessImageMd5 field
type: string
indicators:
- md5
- name: src.process.image.sha256
description: SrcProcessImageSha256 field
type: string
indicators:
- sha256
- name: src.process.subsystem
description: SrcProcessSubsystem field
type: string
- name: src.process.sessionId
description: SrcProcessSessionId field
type: bigint
- name: src.process.isNative64Bit
description: SrcProcessIsNative64Bit field
type: boolean
- name: src.process.isRedirectCmdProcessor
description: SrcProcessIsRedirectCmdProcessor field
type: boolean
- name: src.process.isStorylineRoot
description: SrcProcessIsStorylineRoot field
type: boolean
- name: src.process.activeContentType
description: SrcProcessActiveContentType field
type: string
- name: src.process.activeContent.id
description: SrcProcessActiveContentId field
type: string
- name: src.process.activeContent.path
description: SrcProcessActiveContentPath field
type: string
- name: src.process.activeContent.hash
description: SrcProcessActiveContentHash field
type: string
indicators:
- sha1
- name: src.process.activeContent.signedStatus
description: SrcProcessActiveContentSignedStatus field
type: string
- name: src.process.rpid
description: SrcProcessRpid field
type: bigint
- name: src.process.tid
description: SrcProcessTid field
type: bigint
- name: src.process.image.location
description: SrcProcessImageLocation field
type: string
- name: src.process.image.uid
description: SrcProcessImageUid field
type: string
- name: src.process.image.originalFileName
description: SrcProcessImageOriginalFileName field
type: string
- name: src.process.image.description
description: SrcProcessImageDescription field
type: string
- name: src.process.image.internalName
description: SrcProcessImageInternalName field
type: string
- name: src.process.image.productName
description: SrcProcessImageProductName field
type: string
- name: src.process.image.productVersion
description: SrcProcessImageProductVersion field
type: string
- name: src.process.image.type
description: SrcProcessImageType field
type: string
- name: cmdScript.content
description: CmdScriptContent field
type: string
- name: cmdScript.isComplete
description: CmdScriptIsComplete field
type: boolean
- name: cmdScript.sha256
description: CmdScriptSha256 field
type: string
indicators:
- sha256
- name: cmdScript.originalSize
description: CmdScriptOriginalSize field
type: bigint
- name: cmdScript.applicationName
description: CmdScriptApplicationName field
type: string
- name: osSrc.process.name
description: OsSrcProcessName field
type: string
- name: osSrc.process.storyline.id
description: OsSrcProcessStorylineId field
type: string
- name: osSrc.process.cmdline
description: OsSrcProcessCmdline field
type: string
- name: osSrc.process.user
description: OsSrcProcessUser field
type: string
- name: osSrc.process.startTime
description: OsSrcProcessStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: osSrc.process.image.path
description: OsSrcProcessImagePath field
type: string
- name: osSrc.process.pid
description: OsSrcProcessPid field
type: bigint
- name: osSrc.process.displayName
description: OsSrcProcessDisplayName field
type: string
- name: osSrc.process.uid
description: OsSrcProcessUid field
type: string
- name: osSrc.process.image.binaryIsExecutable
description: OsSrcProcessImageBinaryIsExecutable field
type: boolean
- name: osSrc.process.integrityLevel
description: OsSrcProcessIntegrityLevel field
type: string
- name: osSrc.process.signedStatus
description: OsSrcProcessSignedStatus field
type: string
- name: osSrc.process.publisher
description: OsSrcProcessPublisher field
type: string
- name: osSrc.process.verifiedStatus
description: OsSrcProcessVerifiedStatus field
type: string
- name: osSrc.process.image.sha1
description: OsSrcProcessImageSha1 field
type: string
indicators:
- sha1
- name: osSrc.process.image.md5
description: OsSrcProcessImageMd5 field
type: string
indicators:
- md5
- name: osSrc.process.image.sha256
description: OsSrcProcessImageSha256 field
type: string
indicators:
- sha256
- name: osSrc.process.subsystem
description: OsSrcProcessSubsystem field
type: string
- name: osSrc.process.sessionId
description: OsSrcProcessSessionId field
type: bigint
- name: osSrc.process.isNative64Bit
description: OsSrcProcessIsNative64Bit field
type: boolean
- name: osSrc.process.isRedirectCmdProcessor
description: OsSrcProcessIsRedirectCmdProcessor field
type: boolean
- name: osSrc.process.isStorylineRoot
description: OsSrcProcessIsStorylineRoot field
type: boolean
- name: osSrc.process.activeContentType
description: OsSrcProcessActiveContentType field
type: string
- name: osSrc.process.activeContent.id
description: OsSrcProcessActiveContentId field
type: string
- name: osSrc.process.activeContent.path
description: OsSrcProcessActiveContentPath field
type: string
- name: osSrc.process.activeContent.hash
description: OsSrcProcessActiveContentHash field
type: string
indicators:
- sha1
- name: osSrc.process.activeContent.signedStatus
description: OsSrcProcessActiveContentSignedStatus field
type: string
- name: osSrc.process.reasonSignatureInvalid
description: OsSrcProcessReasonSignatureInvalid field
type: string
- name: osSrc.process.crossProcessCount
description: OsSrcProcessCrossProcessCount field
type: bigint
- name: osSrc.process.crossProcessOutOfStorylineCount
description: OsSrcProcessCrossProcessOutOfStorylineCount field
type: bigint
- name: osSrc.process.crossProcessDupRemoteProcessHandleCount
description: OsSrcProcessCrossProcessDupRemoteProcessHandleCount field
type: bigint
- name: osSrc.process.crossProcessDupThreadHandleCount
description: OsSrcProcessCrossProcessDupThreadHandleCount field
type: bigint
- name: osSrc.process.crossProcessOpenProcessCount
description: OsSrcProcessCrossProcessOpenProcessCount field
type: bigint
- name: osSrc.process.crossProcessThreadCreateCount
description: OsSrcProcessCrossProcessThreadCreateCount field
type: bigint
- name: osSrc.process.netConnCount
description: OsSrcProcessNetConnCount field
type: bigint
- name: osSrc.process.netConnInCount
description: OsSrcProcessNetConnInCount field
type: bigint
- name: osSrc.process.netConnOutCount
description: OsSrcProcessNetConnOutCount field
type: bigint
- name: osSrc.process.dnsCount
description: OsSrcProcessDnsCount field
type: bigint
- name: osSrc.process.tgtFileModificationCount
description: OsSrcProcessTgtFileModificationCount field
type: bigint
- name: osSrc.process.tgtFileCreationCount
description: OsSrcProcessTgtFileCreationCount field
type: bigint
- name: osSrc.process.tgtFileDeletionCount
description: OsSrcProcessTgtFileDeletionCount field
type: bigint
- name: osSrc.process.registryChangeCount
description: OsSrcProcessRegistryChangeCount field
type: bigint
- name: osSrc.process.indicatorBootConfigurationUpdateCount
description: OsSrcProcessIndicatorBootConfigurationUpdateCount field
type: bigint
- name: osSrc.process.indicatorEvasionCount
description: OsSrcProcessIndicatorEvasionCount field
type: bigint
- name: osSrc.process.indicatorExploitationCount
description: OsSrcProcessIndicatorExploitationCount field
type: bigint
- name: osSrc.process.indicatorGeneral.count
description: OsSrcProcessIndicatorGeneralCount field
type: bigint
- name: osSrc.process.indicatorInfostealerCount
description: OsSrcProcessIndicatorInfostealerCount field
type: bigint
- name: osSrc.process.indicatorInjectionCount
description: OsSrcProcessIndicatorInjectionCount field
type: bigint
- name: osSrc.process.indicatorPersistenceCount
description: OsSrcProcessIndicatorPersistenceCount field
type: bigint
- name: osSrc.process.indicatorPostExploitationCount
description: OsSrcProcessIndicatorPostExploitationCount field
type: bigint
- name: osSrc.process.indicatorRansomwareCount
description: OsSrcProcessIndicatorRansomwareCount field
type: bigint
- name: osSrc.process.indicatorReconnaissanceCount
description: OsSrcProcessIndicatorReconnaissanceCount field
type: bigint
- name: osSrc.process.childProcCount
description: OsSrcProcessChildProcCount field
type: bigint
- name: osSrc.process.moduleCount
description: OsSrcProcessModuleCount field
type: bigint
- name: osSrc.process.image.type
description: OsSrcProcessImageType field
type: string
- name: osSrc.process.image.extension
description: OsSrcProcessImageExtension field
type: string
- name: osSrc.process.image.size
description: OsSrcProcessImageSize field
type: bigint
- name: osSrc.process.image.location
description: OsSrcProcessImageLocation field
type: string
- name: osSrc.process.image.uid
description: OsSrcProcessImageUid field
type: string
- name: osSrc.process.image.signature.isValid
description: OsSrcProcessImageSignatureIsValid field
type: boolean
- name: osSrc.process.userSid
description: OsSrcProcessUserSid field
type: string
- name: src.process.parent.name
description: SrcProcessParentName field
type: string
- name: src.process.parent.storyline.id
description: SrcProcessParentStorylineId field
type: string
- name: src.process.parent.cmdline
description: SrcProcessParentCmdline field
type: string
- name: src.process.parent.user
description: SrcProcessParentUser field
type: string
- name: src.process.parent.startTime
description: SrcProcessParentStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: src.process.parent.image.path
description: SrcProcessParentImagePath field
type: string
- name: src.process.parent.displayName
description: SrcProcessParentDisplayName field
type: string
- name: src.process.parent.uid
description: SrcProcessParentUid field
type: string
- name: src.process.parent.integrityLevel
description: SrcProcessParentIntegrityLevel field
type: string
- name: src.process.parent.signedStatus
description: SrcProcessParentSignedStatus field
type: string
- name: src.process.parent.publisher
description: SrcProcessParentPublisher field
type: string
- name: src.process.parent.image.sha1
description: SrcProcessParentImageSha1 field
type: string
indicators:
- sha1
- name: src.process.parent.image.md5
description: SrcProcessParentImageMd5 field
type: string
indicators:
- md5
- name: src.process.parent.image.sha256
description: SrcProcessParentImageSha256 field
type: string
indicators:
- sha256
- name: src.process.parent.sessionId
description: SrcProcessParentSessionId field
type: bigint
- name: src.process.parent.isNative64Bit
description: SrcProcessParentIsNative64Bit field
type: boolean
- name: src.process.parent.isRedirectCmdProcessor
description: SrcProcessParentIsRedirectCmdProcessor field
type: boolean
- name: src.process.parent.isStorylineRoot
description: SrcProcessParentIsStorylineRoot field
type: boolean
- name: src.process.parent.pid
description: SrcProcessParentPid field
type: bigint
- name: src.process.parent.image.type
description: SrcProcessParentImageType field
type: string
- name: src.process.parent.image.extension
description: SrcProcessParentImageExtension field
type: string
- name: src.process.parent.image.size
description: SrcProcessParentImageSize field
type: bigint
- name: src.process.parent.image.location
description: SrcProcessParentImageLocation field
type: string
- name: src.process.parent.image.uid
description: SrcProcessParentImageUid field
type: string
- name: src.process.parent.image.signature.isValid
description: SrcProcessParentImageSignatureIsValid field
type: boolean
- name: src.process.parent.userSid
description: SrcProcessParentUserSid field
type: string
- name: src.process.parent.image.binaryIsExecutable
description: SrcProcessParentImageBinaryIsExecutable field
type: boolean
- name: osSrc.process.parent.name
description: OsSrcProcessParentName field
type: string
- name: osSrc.process.parent.storyline.id
description: OsSrcProcessParentStorylineId field
type: string
- name: osSrc.process.parent.cmdline
description: OsSrcProcessParentCmdline field
type: string
- name: osSrc.process.parent.user
description: OsSrcProcessParentUser field
type: string
- name: osSrc.process.parent.startTime
description: OsSrcProcessParentStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: osSrc.process.parent.image.path
description: OsSrcProcessParentImagePath field
type: string
- name: osSrc.process.parent.pid
description: OsSrcProcessParentPid field
type: bigint
- name: osSrc.process.parent.uid
description: OsSrcProcessParentUid field
type: string
- name: osSrc.process.parent.image.sha1
description: OsSrcProcessParentImageSha1 field
type: string
indicators:
- sha1
- name: osSrc.process.parent.image.md5
description: OsSrcProcessParentImageMd5 field
type: string
indicators:
- md5
- name: osSrc.process.parent.image.sha256
description: OsSrcProcessParentImageSha256 field
type: string
indicators:
- sha256
- name: osSrc.process.parent.displayName
description: OsSrcProcessParentDisplayName field
type: string
- name: osSrc.process.parent.integrityLevel
description: OsSrcProcessParentIntegrityLevel field
type: string
- name: osSrc.process.parent.signedStatus
description: OsSrcProcessParentSignedStatus field
type: string
- name: osSrc.process.parent.publisher
description: OsSrcProcessParentPublisher field
type: string
- name: osSrc.process.parent.reasonSignatureInvalid
description: OsSrcProcessParentReasonSignatureInvalid field
type: string
- name: osSrc.process.parent.sessionId
description: OsSrcProcessParentSessionId field
type: bigint
- name: osSrc.process.parent.isNative64Bit
description: OsSrcProcessParentIsNative64Bit field
type: boolean
- name: osSrc.process.parent.isRedirectCmdProcessor
description: OsSrcProcessParentIsRedirectCmdProcessor field
type: boolean
- name: osSrc.process.parent.isStorylineRoot
description: OsSrcProcessParentIsStorylineRoot field
type: boolean
- name: osSrc.process.parent.activeContentType
description: OsSrcProcessParentActiveContentType field
type: string
- name: osSrc.process.parent.activeContent.id
description: OsSrcProcessParentActiveContentId field
type: string
- name: osSrc.process.parent.activeContent.path
description: OsSrcProcessParentActiveContentPath field
type: string
- name: osSrc.process.parent.activeContent.hash
description: OsSrcProcessParentActiveContentHash field
type: string
indicators:
- sha1
- name: osSrc.process.parent.activeContent.signedStatus
description: OsSrcProcessParentActiveContentSignedStatus field
type: string
- name: osSrc.process.parent.image.type
description: OsSrcProcessParentImageType field
type: string
- name: osSrc.process.parent.image.extension
description: OsSrcProcessParentImageExtension field
type: string
- name: osSrc.process.parent.image.size
description: OsSrcProcessParentImageSize field
type: bigint
- name: osSrc.process.parent.image.location
description: OsSrcProcessParentImageLocation field
type: string
- name: osSrc.process.parent.image.uid
description: OsSrcProcessParentImageUid field
type: string
- name: osSrc.process.parent.image.signature.isValid
description: OsSrcProcessParentImageSignatureIsValid field
type: boolean
- name: osSrc.process.parent.userSid
description: OsSrcProcessParentUserSid field
type: string
- name: osSrc.process.parent.image.binaryIsExecutable
description: OsSrcProcessParentImageBinaryIsExecutable field
type: boolean
- name: osSrc.process.parent.subsystem
description: OsSrcProcessParentSubsystem field
type: string
- name: tgt.process.name
description: TgtProcessName field
type: string
- name: tgt.process.relation
description: TgtProcessRelation field
type: string
- name: tgt.process.storyline.id
description: TgtProcessStorylineId field
type: string
- name: tgt.process.cmdline
description: TgtProcessCmdline field
type: string
- name: tgt.process.user
description: TgtProcessUser field
type: string
- name: tgt.process.startTime
description: TgtProcessStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: tgt.process.image.path
description: TgtProcessImagePath field
type: string
- name: tgt.process.pid
description: TgtProcessPid field
type: bigint
- name: tgt.process.displayName
description: TgtProcessDisplayName field
type: string
- name: tgt.process.uid
description: TgtProcessUid field
type: string
- name: tgt.process.image.binaryIsExecutable
description: TgtProcessImageBinaryIsExecutable field
type: boolean
- name: tgt.process.integrityLevel
description: TgtProcessIntegrityLevel field
type: string
- name: tgt.process.signedStatus
description: TgtProcessSignedStatus field
type: string
- name: tgt.process.publisher
description: TgtProcessPublisher field
type: string
- name: tgt.process.verifiedStatus
description: TgtProcessVerifiedStatus field
type: string
- name: tgt.process.reasonSignatureInvalid
description: TgtProcessReasonSignatureInvalid field
type: string
- name: tgt.process.image.sha1
description: TgtProcessImageSha1 field
type: string
indicators:
- sha1
- name: tgt.process.image.md5
description: TgtProcessImageMd5 field
type: string
indicators:
- md5
- name: tgt.process.image.sha256
description: TgtProcessImageSha256 field
type: string
indicators:
- sha256
- name: tgt.process.subsystem
description: TgtProcessSubsystem field
type: string
- name: tgt.process.sessionId
description: TgtProcessSessionId field
type: bigint
- name: tgt.process.isNative64Bit
description: TgtProcessIsNative64Bit field
type: boolean
- name: tgt.process.isRedirectCmdProcessor
description: TgtProcessIsRedirectCmdProcessor field
type: boolean
- name: tgt.process.isStorylineRoot
description: TgtProcessIsStorylineRoot field
type: boolean
- name: tgt.process.activeContentType
description: TgtProcessActiveContentType field
type: string
- name: tgt.process.activeContent.id
description: TgtProcessActiveContentId field
type: string
- name: tgt.process.activeContent.path
description: TgtProcessActiveContentPath field
type: string
- name: tgt.process.activeContent.hash
description: TgtProcessActiveContentHash field
type: string
indicators:
- sha1
- name: tgt.process.activeContent.signedStatus
description: TgtProcessActiveContentSignedStatus field
type: string
- name: src.process.crossProcessCount
description: SrcProcessCrossProcessCount field
type: bigint
- name: tgt.process.accessRights
description: TgtProcessAccessRights field
type: bigint
- name: tgt.process.image.uid
description: TgtProcessImageUid field
type: string
- name: tgt.process.image.extension
description: TgtProcessImageExtension field
type: string
- name: tgt.process.image.size
description: TgtProcessImageSize field
type: bigint
- name: tgt.process.completeness.hints
description: TgtProcessCompletenessHints field
type: bigint
- name: tgt.process.userSid
description: TgtProcessUserSid field
type: string
- name: event.processtermination.exitCode
description: EventProcessterminationExitCode field
type: bigint
- name: event.processtermination.signal
description: EventProcessterminationSignal field
type: string
- name: tgt.process.parent.image.type
description: TgtProcessParentImageType field
type: string
- name: tgt.process.parent.image.location
description: TgtProcessParentImageLocation field
type: string
- name: src.process.crossProcessOutOfStorylineCount
description: SrcProcessCrossProcessOutOfStorylineCount field
type: bigint
- name: src.process.crossProcessDupRemoteProcessHandleCount
description: SrcProcessCrossProcessDupRemoteProcessHandleCount field
type: bigint
- name: src.process.crossProcessDupThreadHandleCount
description: SrcProcessCrossProcessDupThreadHandleCount field
type: bigint
- name: src.process.crossProcessOpenProcessCount
description: SrcProcessCrossProcessOpenProcessCount field
type: bigint
- name: src.process.crossProcessThreadCreateCount
description: SrcProcessCrossProcessThreadCreateCount field
type: bigint
- name: src.ip.address
description: SrcIpAddress field
type: string
indicators:
- ip
- name: src.port.number
description: SrcPortNumber field
type: bigint
- name: dst.ip.address
description: DstIpAddress field
type: string
indicators:
- ip
- name: dst.port.number
description: DstPortNumber field
type: bigint
- name: event.network.direction
description: EventNetworkDirection field
type: string
- name: event.network.connectionStatus
description: EventNetworkConnectionStatus field
type: string
- name: event.network.protocolName
description: EventNetworkProtocolName field
type: string
- name: src.process.netConnCount
description: SrcProcessNetConnCount field
type: bigint
- name: src.process.netConnInCount
description: SrcProcessNetConnInCount field
type: bigint
- name: src.process.netConnOutCount
description: SrcProcessNetConnOutCount field
type: bigint
- name: event.dns.request
description: EventDnsRequest field
type: string
indicators:
- hostname
- name: event.dns.response
description: EventDnsResponse field
type: string
indicators:
- hostname
- name: event.dns.status
description: EventDnsStatus field
type: string
- name: src.process.dnsCount
description: SrcProcessDnsCount field
type: bigint
- name: src.process.exeModificationCount
description: SrcProcessExeModificationCount field
type: bigint
- name: src.process.modelChildProcessCount
description: SrcProcessModelChildProcessCount field
type: bigint
- name: url.address
description: UrlAddress field
type: string
indicators:
- url
- name: event.url.action
description: EventUrlAction field
type: string
- name: event.url.source
description: EventUrlSource field
type: string
- name: tgt.file.path
description: TgtFilePath field
type: string
- name: tgt.file.name
description: TgtFileName field
type: string
- name: tgt.file.oldPath
description: TgtFileOldPath field
type: string
- name: tgt.file.type
description: TgtFileType field
type: string
- name: tgt.file.size
description: TgtFileSize field
type: bigint
- name: tgt.file.extension
description: TgtFileExtension field
type: string
- name: tgt.file.id
description: TgtFileId field
type: string
- name: tgt.file.description
description: TgtFileDescription field
type: string
- name: tgt.file.internalName
description: TgtFileInternalName field
type: string
- name: tgt.file.location
description: TgtFileLocation field
type: string
- name: tgt.file.md5
description: TgtFileMd5 field
type: string
indicators:
- md5
- name: tgt.file.sha1
description: TgtFileSha1 field
type: string
indicators:
- sha1
- name: tgt.file.sha256
description: TgtFileSha256 field
type: string
indicators:
- sha256
- name: tgt.file.convictedBy
description: TgtFileConvictedBy field
type: string
- name: src.process.tgtFileModificationCount
description: SrcProcessTgtFileModificationCount field
type: bigint
- name: src.process.tgtFileCreationCount
description: SrcProcessTgtFileCreationCount field
type: bigint
- name: src.process.tgtFileDeletionCount
description: SrcProcessTgtFileDeletionCount field
type: bigint
- name: tgt.file.isSigned
description: TgtFileIsSigned field
type: string
- name: tgt.file.isExecutable
description: TgtFileIsExecutable field
type: boolean
- name: tgt.file.creationTime
description: TgtFileCreationTime field
type: timestamp
timeFormats:
- unix_ms
- name: tgt.file.modificationTime
description: TgtFileModificationTime field
type: timestamp
timeFormats:
- unix_ms
- name: tgt.file.oldSha1
description: TgtFileOldSha1 field
type: string
indicators:
- sha1
- name: tgt.file.oldMd5
description: TgtFileOldMd5 field
type: string
indicators:
- md5
- name: tgt.file.oldSha256
description: TgtFileOldSha256 field
type: string
indicators:
- sha256
- name: tgt.file.isDirectory
description: TgtFileIsDirectory field
type: boolean
- name: tgt.file.isKernelModule
description: TgtFileIsKernelModule field
type: boolean
- name: tgt.file.owner.name
description: TgtFileOwnerName field
type: string
- name: tgt.file.owner.userSid
description: TgtFileOwnerUserSid field
type: string
- name: tgt.file.publisher
description: TgtFilePublisher field
type: string
- name: tgt.file.signatureInvalidReason
description: TgtFileSignatureInvalidReason field
type: string
- name: tgt.file.signature.isValid
description: TgtFileSignatureIsValid field
type: boolean
- name: tgt.file.originalFileName
description: TgtFileOriginalFileName field
type: string
- name: tgt.file.productName
description: TgtFileProductName field
type: string
- name: tgt.file.productVersion
description: TgtFileProductVersion field
type: string
- name: registry.keyPath
description: RegistryKeyPath field
type: string
- name: registry.keyUid
description: RegistryKeyUid field
type: string
- name: src.process.registryChangeCount
description: SrcProcessRegistryChangeCount field
type: bigint
- name: registry.valueType
description: RegistryValueType field
type: string
- name: registry.value
description: RegistryValue field
type: string
- name: registry.valueFullSize
description: RegistryValueFullSize field
type: bigint
- name: registry.valueIsComplete
description: RegistryValueIsComplete field
type: boolean
- name: registry.oldValueType
description: RegistryOldValueType field
type: string
- name: registry.oldValue
description: RegistryOldValue field
type: string
- name: registry.oldValueFullSize
description: RegistryOldValueFullSize field
type: bigint
- name: registry.oldValueIsComplete
description: RegistryOldValueIsComplete field
type: boolean
- name: registry.owner.user
description: RegistryOwnerUser field
type: string
- name: registry.export.path
description: RegistryExportPath field
type: string
- name: registry.import.path
description: RegistryImportPath field
type: string
- name: registry.security.info
description: RegistrySecurityInfo field
type: bigint
- name: registry.owner.userSid
description: RegistryOwnerUserSid field
type: string
- name: task.name
description: TaskName field
type: string
- name: task.path
description: TaskPath field
type: string
- name: task.triggerType
description: TaskTriggerType field
type: bigint
- name: indicator.name
description: IndicatorName field
type: string
- name: indicator.category
description: IndicatorCategory field
type: string
- name: indicator.description
description: IndicatorDescription field
type: string
- name: indicator.metadata
description: IndicatorMetadata field
type: string
- name: indicator.identifier
description: IndicatorIdentifier field
type: string
- name: src.process.indicatorBootConfigurationUpdateCount
description: SrcProcessIndicatorBootConfigurationUpdateCount field
type: bigint
- name: src.process.indicatorEvasionCount
description: SrcProcessIndicatorEvasionCount field
type: bigint
- name: src.process.indicatorExploitationCount
description: SrcProcessIndicatorExploitationCount field
type: bigint
- name: src.process.indicatorGeneralCount
description: SrcProcessIndicatorGeneralCount field
type: bigint
- name: src.process.indicatorInfostealerCount
description: SrcProcessIndicatorInfostealerCount field
type: bigint
- name: src.process.indicatorInjectionCount
description: SrcProcessIndicatorInjectionCount field
type: bigint
- name: src.process.indicatorPersistenceCount
description: SrcProcessIndicatorPersistenceCount field
type: bigint
- name: src.process.indicatorPostExploitationCount
description: SrcProcessIndicatorPostExploitationCount field
type: bigint
- name: src.process.indicatorRansomwareCount
description: SrcProcessIndicatorRansomwareCount field
type: bigint
- name: src.process.indicatorReconnaissanceCount
description: SrcProcessIndicatorReconnaissanceCount field
type: bigint
- name: src.process.childProcCount
description: SrcProcessChildProcCount field
type: bigint
- name: module.path
description: ModulePath field
type: string
- name: module.sha1
description: ModuleSha1 field
type: string
indicators:
- sha1
- name: module.md5
description: ModuleMd5 field
type: string
indicators:
- md5
- name: src.process.moduleCount
description: SrcProcessModuleCount field
type: bigint
- name: event.login.userName
description: EventLoginUserName field
type: string
indicators:
- username
- name: event.login.baseType
description: EventLoginBaseType field
type: string
- name: src.endpoint.ip.address
description: SrcEndpointIpAddress field
type: string
indicators:
- ip
- name: event.login.loginIsSuccessful
description: EventLoginLoginIsSuccessful field
type: boolean
- name: event.login.accountName
description: EventLoginAccountName field
type: string
- name: event.login.type
description: EventLoginType field
type: string
- name: event.login.isAdministratorEquivalent
description: EventLoginIsAdministratorEquivalent field
type: boolean
- name: event.login.failureReason
description: EventLoginFailureReason field
type: string
- name: event.login.accountSid
description: EventLoginAccountSid field
type: string
- name: event.login.accountDomain
description: EventLoginAccountDomain field
type: string
- name: event.login.sessionId
description: EventLoginSessionId field
type: bigint
- name: event.logout.type
description: EventLogoutType field
type: string
- name: event.login.tgt.domainName
description: EventLoginTgtDomainName field
type: string
indicators:
- domain
- name: event.login.tgt.user.name
description: EventLoginTgtUserName field
type: string
indicators:
- username
- name: event.login.tgt.userSid
description: EventLoginTgtUserSid field
type: string
- name: event.logout.tgt.domainName
description: EventLogoutTgtDomainName field
type: string
indicators:
- domain
- name: event.logout.tgt.user.name
description: EventLogoutTgtUserName field
type: string
indicators:
- username
- name: event.logout.tgt.userSid
description: EventLogoutTgtUserSid field
type: string
- name: k8sCluster.name
description: K8sClusterName field
type: string
- name: k8sCluster.nodeName
description: K8sClusterNodeName field
type: string
- name: k8sCluster.namespace
description: K8sClusterNamespace field
type: string
- name: k8sCluster.namespaceLabels
description: K8sClusterNamespaceLabels field
type: string
- name: k8sCluster.controllerType
description: K8sClusterControllerType field
type: string
- name: k8sCluster.controllerName
description: K8sClusterControllerName field
type: string
- name: k8sCluster.controllerLabels
description: K8sClusterControllerLabels field
type: string
- name: k8sCluster.podName
description: K8sClusterPodName field
type: string
- name: k8sCluster.podLabels
description: K8sClusterPodLabels field
type: string
- name: k8sCluster.containerName
description: K8sClusterContainerName field
type: string
- name: k8sCluster.containerId
description: K8sClusterContainerId field
type: string
- name: k8sCluster.containerLabels
description: K8sClusterContainerLabels field
type: string
- name: k8sCluster.containerImage
description: K8sClusterContainerImage field
type: string
- name: src.process.parent.reasonSignatureInvalid
description: SrcProcessParentReasonSignatureInvalid field
type: string
- name: src.process.parent.activeContentType
description: SrcProcessParentActiveContentType field
type: string
- name: src.process.parent.activeContent.id
description: SrcProcessParentActiveContentId field
type: string
- name: src.process.parent.activeContent.path
description: SrcProcessParentActiveContentPath field
type: string
- name: src.process.parent.activeContent.hash
description: SrcProcessParentActiveContentHash field
type: string
indicators:
- sha1
- name: src.process.parent.activeContent.signedStatus
description: SrcProcessParentActiveContentSignedStatus field
type: string
- name: tiIndicator.source
description: TiIndicatorSource field
type: string
- name: tiIndicator.externalId
description: TiIndicatorExternalId field
type: string
- name: tiIndicator.uid
description: TiIndicatorUid field
type: string
- name: tiIndicator.type
description: TiIndicatorType field
type: string
- name: tiIndicator.value
description: TiIndicatorValue field
type: string
- name: tiIndicator.name
description: TiIndicatorName field
type: string
- name: tiIndicator.categories
description: TiIndicatorCategories field
type: string
- name: tiIndicator.description
description: TiIndicatorDescription field
type: string
- name: tiIndicator.metadata
description: TiIndicatorMetadata field
type: string
- name: tiIndicator.validUntil
description: TiIndicatorValidUntil field
type: timestamp
timeFormats:
- unix_ms
- name: tiIndicator.modificationTime
description: TiIndicatorModificationTime field
type: timestamp
timeFormats:
- unix_ms
- name: tiIndicator.uploadTime
description: TiIndicatorUploadTime field
type: timestamp
timeFormats:
- unix_ms
- name: tiIndicator.creationTime
description: TiIndicatorCreationTime field
type: timestamp
timeFormats:
- unix_ms
- name: tiIndicator.addedBy
description: TiIndicatorAddedBy field
type: string
- name: tiIndicator.comparisonMethod
description: TiIndicatorComparisonMethod field
type: string
- name: tiIndicator.mitreTactics
description: TiIndicatorMitreTactics field
type: string
- name: tiIndicator.intrusionSets
description: TiIndicatorIntrusionSets field
type: string
- name: tiIndicator.references
description: TiIndicatorReferences field
type: string
- name: tiIndicator.threatActors
description: TiIndicatorThreatActors field
type: string
- name: namedPipe.name
description: NamedPipeName field
type: string
- name: namedPipe.accessMode
description: NamedPipeAccessMode field
type: string
- name: namedPipe.typeMode
description: NamedPipeTypeMode field
type: string
- name: namedPipe.readMode
description: NamedPipeReadMode field
type: string
- name: namedPipe.waitMode
description: NamedPipeWaitMode field
type: string
- name: namedPipe.remoteClients
description: NamedPipeRemoteClients field
type: string
- name: namedPipe.maxInstances
description: NamedPipeMaxInstances field
type: bigint
- name: namedPipe.securityOwner
description: NamedPipeSecurityOwner field
type: string
- name: namedPipe.securityGroups
description: NamedPipeSecurityGroups field
type: string
- name: namedPipe.connectionType
description: NamedPipeConnectionType field
type: string
- name: namedPipe.isFirstInstance
description: NamedPipeIsFirstInstance field
type: boolean
- name: namedPipe.isWriteThrough
description: NamedPipeIsWriteThrough field
type: boolean
- name: namedPipe.isOverlapped
description: NamedPipeIsOverlapped field
type: boolean
- name: group.type
description: GroupType field
type: string
- name: group.id
description: GroupId field
type: string
- name: driver.loadVerdict
description: DriverLoadVerdict field
type: string
- name: driver.isLoadedBeforeMonitor
description: DriverIsLoadedBeforeMonitor field
type: boolean
- name: driver.startType
description: DriverStartType field
type: string
- name: driver.certificate.thumbprint
description: DriverCertificateThumbprint field
type: string
- name: driver.certificate.thumbprintAlgorithm
description: DriverCertificateThumbprintAlgorithm field
type: bigint
- name: i.scheme
description: IScheme field
type: string
- name: i.version
description: IVersion field
type: string
- name: meta.event.name
description: MetaEventName field
type: string
- name: mgmt.id
description: MgmtId field
type: string
- name: mgmt.osRevision
description: MgmtOsRevision field
type: string
- name: mgmt.url
description: MgmtUrl field
type: string
indicators:
- domain
- url
- name: os.name
description: OsName field
type: string
- name: process.unique.key
description: ProcessUniqueKey field
type: string
- name: sca:atlantisIngestTime
description: ScaAtlantisIngestTime field
type: timestamp
timeFormats:
- unix_ms
- name: sca:ingestTime
description: ScaIngestTime field
type: timestamp
timeFormats:
- unix_ms
- name: src.process.parent.subsystem
description: SrcProcessParentSubsystem field
type: string
- name: trace.id
description: TraceId field
type: string
indicators:
- trace_id
- name: account.id
required: true
description: AccountId field
type: string
